A stealthy hacker was able to divert funds towards their own wallet by exploiting an update to decentralized exchange Bisq.
On Tuesday, decentralized cryptocurrency exchange Bisq announced that it had been hacked. Roughly $250,000 worth of Bitcoin (BTC) and Monero (XMR) were stolen. The exchange has since issued a fix along with a promise to fully refund the victims.
Bisq first alerted users to the problem in a tweet. It also abruptly halted all trading on the platform. In a statement on its website Wednesday, Bisq explained that a hacker had exploited a flaw in the Bisq trading protocol, targeting individual trades to steal funds.
“We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims,” the company said. The only market affected was the XMR/BTC market, and all affected trades occurred over the past 12 days,” the company said.
A peer-to-peer application, Bisq, which launched four years ago, allows users to buy and sell cryptocurrencies directly from each other in exchange for fiat currencies via a desktop client. The platform has no KYC checks, so users are able to remain private.
Also, since it is a decentralized exchange, Bisq doesn’t store funds in a server, or hot wallet connected directly to the internet, so unlike in centralized exchanges, there was no “honeypot” to siphon.
“Affected users were those involved in active trades only,” Bisq said in a Twitter thread.
How the hack happened
The attacker posed as a user on the platform who was selling BTC to take advantage of a vulnerability in the system, the company said.
Normally, Bisq requires sellers to lock any BTC being sold in a multisig escrow along with a security deposit. If a dispute in the trade arises and a mediator is unable to come up with a solution, the funds are temporarily sent to a fallback address, known as a “donation address.”
“This is meant to be a rare occurrence for extreme circumstances,” said Bisq.
But in this event, the hacker was able to set the donation address to point to their own address. This allowed them to claim the funds as their own.
“Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer’s payment and security deposit too,” the exchange said.
The software flaw that allowed this to happen was in an update released in late October. The new version was aimed at improving decentralization by removing trusted third parties in the multisig escrow used for Bitcoin trading funds, but the solution backfired, allowing hackers a foot in the door.
Bisq said it planned to make good on the losses by creating a smart contract in the “Bisq DAO,” that will aim to repay the victims from future trading revenues.
“Security has always been a top priority for Bisq, but this incident shows it wasn’t perfect. The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon,” the company said.
Lucky the exchange isn’t truly decentralized then.
GIPHY App Key not set. Please check settings